Exactly this.

I see that token used - sometimes in the http request header - but most of the time as a param in the GET request, over plain http.

Does it even matter if my auth was secure ? I just need to get hold of some access logs and I can impersonate everyone ?

If you're writing http headers out to your apache logs on your production server, you're doing it _severely_ wrong.

edit: I'm specifically talking about http basic auth with a precomputed "Authentication: base64($username + $passwd)" header, not a GET of "/foobar?api_key=12345abcd". The latter is obvious in it's failures and is not related to http basic auth.

Obviously :-) If you're going after basic-auth-headers, you'd probably be sniffing the network.

> Authenticate once, generate a token, and use the token for auth from that point.

If that token is passed back and forth in the http url, it ends up at places where it's easy to find/intercept.

You can use a gazillion bcrypt rounds to store the password: they still send me a link to a page, including their auth-token.

Edit: My intention was to get some input on how to properly use auth-tokens.